Download & Extend
Nodeaccess » Issues

Create additional permissions for anonymous authors

Posted by jbylsma on November 1, 2010 at 10:01pm
Project:Nodeaccess
Version:6.x-1.3
Component:Code
Category:feature request
Priority:major
Assigned:Unassigned
Status:needs review

Issue Summary

I was debating whether or not to post this directly to the 5.x issue but decided to make a new post instead. I had run into problems where nodes were assigned to anonymous and had become available for unauthenticated users to edit and delete. A filter permission was luckily preventing most of the content types from being touched, but the content type for profiles was not.

After reviewing the posts in the 5.x issue, I decided to extend out the author permissions to create separate permissions for anonymous authors. With this patch, the default permission for anonymous authors is to view content only. The additional permissions of update and delete are assignable, just like any other nodeaccess permission. I did write a additional hook_update_x and extended the hook_install function to create and populate the "nodeaccess_anon_authors" variable.

I've tested the changes and it seems like everything is working as expected. I hope this helps some people clear up some unexpected security issues!

AttachmentSize
306541.patch10.35 KB
Login or register to post comments

Comments

#1

Posted by monotaga on January 31, 2011 at 6:53pm

jbylsma, thanks for this patch. I'm testing it out and it seems to work for me thus far. I ran into this unexpected issue when one of my content types allowed authors edit access. Having a lot of anonymous authored nodes on my site (due to content import from a previous CMS), this became a troubling little issue.

I'd be interested in seeing this patch included. (...Or figuring out if it's time to move over to using a different module, eg. "Content Access".)

Thoughts?

#2

Posted by jbylsma on February 18, 2011 at 5:09am

I initially decided to the use NodeAccess because of its integration with Node Hierarchy (which Mark Carver and I ported to 6.x at #716206: NodeHierarchyAccess in 6.x-2.x. ) I've been happy with its performance and, at least for Drupal 6, haven't had a need to pursue any other content access modules. If you haven't had any other problems with NodeAccess, I'd recommend sticking with it.

I think incorporating the patch into the module would be smart, mainly as a bug fix to prevent anonymous users from editing and deleting. From the looks of it, chadcf has been concentrating on 7.x (see #926020: This is my mission. There are many like it, but this one is mine. and his 7.x github at http://github.com/chadcf/nodeaccess/commits/master).

#3

Posted by acrazyanimal on March 8, 2011 at 7:32pm

I am experiencing the same problem. I also recommend that this be incorporated into the module.

thanks,
J